munmap_chunk(): invalid pointer error due to memcpy with negative size param in pg_query_normalize.c

[gabe-sherman]

When provided with malformed input, the issue described above occurs in the following program:

#include <stdio.h>
#include <stdarg.h>
#include <string.h>
#include <stdlib.h>
#include <pg_query.h>

int main(int argc, char *argv[])
{
    FILE *f = fopen(argv[1], "rb");
    fseek(f, 0, SEEK_END);
    long size = ftell(f);
    rewind(f);

    char *v0 = (char*)malloc((size_t)size+1);
    fread(v0, (size_t)size, 1, f);
    v0[size] = '\0';
    pg_query_normalize(v0);
    return 0;
}

Extra details

A memcpy with a negative size parameter occurs in pg_query_normalize.c at line #272. Later down the road this leads to an munmap_chunk(): invalid pointer error in src_backend_utils_mmgr_aset.c at line #604. Below I've provided both the asan output and the stack trace without asan instrumentation.

Test Environment

Ubuntu 22.04.4, 64 bit

How to trigger

./filename poc

Version

latest: c3ed78b

POC File

https://github.com/gabe-sherman/bug-pocs/blob/main/pg_query/c1

Asan output

=================================================================
==1297162==ERROR: AddressSanitizer: negative-size-param: (size=-27)
    #0 0x555555b07504 in __asan_memcpy (/home/gabriel/fuzzing-trials/pg_query/crashes/c1_minimized.out+0x5b3504) (BuildId: 9b01e93b727fad3f49af8a1eaf6bb33cca986804)
    #1 0x555555b444e9 in generate_normalized_query /home/gabriel/fuzzing-trials/pg_query/lib_asan/src/pg_query_normalize.c:272:3
    #2 0x555555b444e9 in pg_query_normalize /home/gabriel/fuzzing-trials/pg_query/lib_asan/src/pg_query_normalize.c:596:36
    #3 0x555555b43277 in main (/home/gabriel/fuzzing-trials/pg_query/crashes/c1_minimized.out+0x5ef277) (BuildId: 9b01e93b727fad3f49af8a1eaf6bb33cca986804)
    #4 0x7ffff7ca8d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #5 0x7ffff7ca8e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #6 0x555555a853f4 in _start (/home/gabriel/fuzzing-trials/pg_query/crashes/c1_minimized.out+0x5313f4) (BuildId: 9b01e93b727fad3f49af8a1eaf6bb33cca986804)

0x61b000000615 is located 1429 bytes inside of 1452-byte region [0x61b000000080,0x61b00000062c)
allocated by thread T0 here:
    #0 0x555555b0823e in __interceptor_malloc (/home/gabriel/fuzzing-trials/pg_query/crashes/c1_minimized.out+0x5b423e) (BuildId: 9b01e93b727fad3f49af8a1eaf6bb33cca986804)
    #1 0x555555b4317a in main (/home/gabriel/fuzzing-trials/pg_query/crashes/c1_minimized.out+0x5ef17a) (BuildId: 9b01e93b727fad3f49af8a1eaf6bb33cca986804)
    #2 0x7ffff7ca8d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: negative-size-param (/home/gabriel/fuzzing-trials/pg_query/crashes/c1_minimized.out+0x5b3504) (BuildId: 9b01e93b727fad3f49af8a1eaf6bb33cca986804) in __asan_memcpy
==1297162==ABORTING

Backtrace

#0  0x00000000005e044c in pthread_kill ()
#1  0x00000000005cc2e6 in raise ()
#2  0x0000000000401209 in abort ()
#3  0x00000000005da086 in __libc_message ()
#4  0x00000000005e0f2c in malloc_printerr ()
#5  0x00000000005e120c in munmap_chunk ()
#6  0x00000000005e56ea in free ()
#7  0x00000000004fb874 in AllocSetReset (context=0x9f8340) at src/postgres/src_backend_utils_mmgr_aset.c:604
#8  0x0000000000412247 in MemoryContextResetOnly (context=context@entry=0x9f8340) at src/postgres/src_backend_utils_mmgr_mcxt.c:414
#9  0x00000000004fbad5 in AllocSetDelete (context=0x9f8340) at src/postgres/src_backend_utils_mmgr_aset.c:652
#10 0x0000000000402277 in pg_query_normalize (input=input@entry=0x9f1130 "DO'SELE", '\270' <repeats 193 times>...) at src/pg_query_normalize.c:619
#11 0x00000000004018c2 in main (argc=<optimized out>, argv=<optimized out>) at poc.c:17